Greetings, Bill Zissimopoulos! >>> The main reason that I am weary of using an unused SID is that Microsoft >>> may decide to assign some special powers to it in a future release (e.g. >>> GodMode SID). But I agree that this is rather unlikely in the S-1-0-X >>> namespace. >> >>I think it's very unlikely. We could chose any RID value we like and >>the chance for collision is nil. When I created the new implementation >>for POSIX ACLs, I toyed around with this already and used a special >>Cygwin SID within the NULL SID AUTHORITY. I'm not entirely sure why I >>changed this to the NULL SID deny ACE. I think I disliked the fact that >>almost every Cygwin ACL would contain a mysterious "unknown SID".
> Ideally we should choose a SID that: > (1) Is very unlikely to be used by Microsoft at any point in the future. > (2) Cannot be associated to a user logon for any reason (see problem with > Anonymous SID) above. > (3) Maps to a reasonable UID in Cygwin. > I propose the following SID/UID mapping: > S-1-0-99 <=> UID 0xffffffff (32-bit -1) Why not S-1-0-65535 ? It'll map to 0x1FFFF then without any special rules. > This is a SID in the S-1-0 (Null Authority) namespace (same one that > contains the NULL SID), which is unlikely to be used by Microsoft. So it > likely satisfies (1). > For the same reason (that it is a new/unused SID in the S-1-0) namespace, > I think it also satisfies (2). > If we follow the rules from Cygwin’s "POSIX accounts, permission, and > security” document [IDMAP], the SID S-1-0-99 maps to 0x10063. But we can > make a special rule for this SID to map it to a different UID. Mapping it > to -1 may be the easiest option, but perhaps we can also consider mapping > it to 0xfffffffe (-2). > Bill > [IDMAP] https://cygwin.com/cygwin-ug-net/ntsec.html -- With best regards, Andrey Repin Monday, June 27, 2016 12:08:13 Sorry for my terrible english...
